Overview

overview

10

Static

static

1

15052024_1...Doc.js

windows7-x64

10

15052024_1...Doc.js

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 12:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15052024_1245_Cognex 3512C Doc.js

  • Size

    7KB

  • MD5

    c8b4efbf7ede4e5741be5e2ae2462b3b

  • SHA1

    dc077b682365eef97c0ced977916fcb117743cf6

  • SHA256

    deec2bd866af640bcaecd5357f54da87dd045c8017a8f8a76ac0068ce43eebaa

  • SHA512

    eb98175eb0486b17ac217e5380ec771666d176fde50a3ecf416aafb2cef7b0e91ec8386417519b51f69fa381834571fbaae1f92a9baec0dc53d80515da5446d6

  • SSDEEP

    192:pRn5hokWxcYy0AkSsDX5VF30Ver0O86+ISMquF4dOryL:fnckWx2kSsDX5P3L7+ISMq24dOryL

Score
10/10
zgratexecutionpersistencerat

Malware Config

Signatures

  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\15052024_1245_Cognex 3512C Doc.js"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3812
    • C:\Users\Admin\AppData\Roaming\windows.exe
      "C:\Users\Admin\AppData\Roaming\windows.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3468
      • C:\Users\Admin\AppData\Roaming\windows.exe
        "C:\Users\Admin\AppData\Roaming\windows.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:5088
        • C:\ProgramData\windows\explorere
          "C:\ProgramData\windows\explorere" {4B08985C-0E0F-4678-84A8-2A0974B289FF}
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3812
          • C:\ProgramData\windows\explorere
            "C:\ProgramData\windows\explorere"
            5⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            PID:3972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

JavaScript

1
T1059.007

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\windows.exe
    Filesize

    4.5MB

    MD5

    ef0124f238734460752a0de9e85501bc

    SHA1

    8dcbd7b8c753329ffc4a68a4bac8c3ab5ba62dfb

    SHA256

    4a299f5b0de81d51e75d45e9b49e830e4230346329d9ed15197ddf1ac2853644

    SHA512

    6aa0476b378bf34eb274ef2b62d8cb12f2c5014cae0e02a6ffea55e4c0fd009e07f8816b23bb6ad2ed57a0a8173668ae3c24f94bcecd131348c5347510fcac3c

    Download Submit
  • memory/3468-21-0x00007FFB795C3000-0x00007FFB795C5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3468-20-0x000001DFE3500000-0x000001DFE3980000-memory.dmp
    Filesize

    4.5MB

    Download
  • memory/3468-22-0x000001DFFDED0000-0x000001DFFE10E000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-28-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-64-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-59-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-52-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-50-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-48-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-44-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-42-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-40-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-38-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-36-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-34-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-32-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-30-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-26-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-46-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-24-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-23-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-78-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-76-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-86-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-84-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-82-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-80-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-74-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-72-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-70-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-68-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-66-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-62-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-60-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-56-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-54-0x000001DFFDED0000-0x000001DFFE107000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3468-4904-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3468-4906-0x000001DFE55D0000-0x000001DFE561C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3468-4905-0x000001DFE5650000-0x000001DFE56CA000-memory.dmp
    Filesize

    488KB

    Download
  • memory/3468-4903-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3468-4907-0x00007FFB795C3000-0x00007FFB795C5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3468-4908-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3468-4909-0x000001DFFE210000-0x000001DFFE264000-memory.dmp
    Filesize

    336KB

    Download
  • memory/3468-4917-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/5088-4915-0x0000000140000000-0x000000014006B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/5088-4921-0x0000000140000000-0x000000014006B000-memory.dmp
    Filesize

    428KB

    Download